North Korean Cyber Heists Reach Unprecedented $2 Billion in 2025
In 2025, North Korean state-sponsored hackers orchestrated a series of cyberattacks that resulted in the theft of an unprecedented $2.02 billion in cryptocurrency. This staggering figure marks a 51% increase from the previous year, bringing the total stolen since 2016 to approximately $6.75 billion. Despite a reduction in the number of attacks, these groups have achieved larger payouts through meticulously planned operations.
The cryptocurrency industry faced over $3.4 billion in total theft during 2025, with North Korean operations accounting for 76% of all service compromises. These hackers employed two primary strategies: embedding IT workers within crypto exchanges, custodians, and web3 companies to gain trusted access, and executing sophisticated fake recruiter schemes. In these schemes, they impersonated representatives from major web3 and AI companies, conducting fraudulent job interviews and technical screenings to deceive employees.
Chainalysis researchers observed a shift in tactics, noting that attackers are now impersonating recruiters and conducting fake hiring processes designed to steal credentials, source code, and VPN access from victims’ current employers. At higher levels, they pose as strategic investors or business acquirers, using pitch meetings and fake due diligence to gather sensitive system information and identify entry points into valuable infrastructure.
A notable example of this shift is the February 2025 attack on the Bybit exchange, which resulted in the theft of $1.5 billion, marking one of the largest single cryptocurrency thefts in history. This incident exemplifies how North Korean groups are transitioning from numerous small-scale attacks to fewer, but significantly more damaging operations. The ratio between the largest hacks and typical incidents has now exceeded 1,000 times for the first time.
Sophisticated Laundering Operations and Detection Patterns
Following the theft of funds, North Korean hackers employ a structured 45-day laundering cycle that security teams can monitor. This process unfolds in three distinct phases:
1. Initial Phase (Days 1-5): Immediately after the theft, stolen funds are moved through decentralized finance (DeFi) protocols, resulting in a 370% spike in activity, and mixing services, which see a 135% increase. This creates an initial layer of obfuscation for investigators attempting to trace the funds.
2. Transition Phase (Days 6-10): The strategy shifts to utilizing exchanges with limited identity verification and cross-chain bridges to transfer assets across different blockchains. During this period, centralized exchanges experience a 32% increase in funds, while mixing services continue to operate at a reduced intensity. This phase is critical as stolen funds begin moving toward potential cash-out points.
3. Final Phase (Days 20-45): The focus turns to converting cryptocurrency into fiat currency. Exchanges without Know Your Customer (KYC) requirements see an 82% increase in activity, while Chinese-language guarantee services like Tudou Danbao experience an 87% surge.
Analysts have identified that North Korean groups show a strong preference for Chinese-language money laundering services, with usage rates up to 1,753% higher than other cybercriminals. They structure their payments differently as well, keeping 60% of transfers below $500,000 to avoid detection, whereas other hackers prefer larger transactions between $1 million and $10 million.
This distinctive pattern reveals operational constraints facing North Korean actors. Their heavy reliance on specific Chinese-language services and over-the-counter traders suggests tight integration with criminal networks across the Asia-Pacific region. These consistent preferences provide law enforcement and security teams with clear detection opportunities to identify and potentially intercept stolen funds.
